Fixes for cloud Elastic 7 (#260)

2025-10-23 04:51:57 +00:00 · 2019-10-03 17:38:43 +02:00
parent d3220826fc
commit ca1578ed27
13 changed files with 233 additions and 46 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,13 +1,24 @@
 # Change Log
 All notable changes to this project will be documented in this file.

+## Wazuh Docker v3.10.2_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.2_7.3.2
+
+## Wazuh Docker v3.10.0_7.3.2
+
+### Added
+
+- Update to Wazuh version 3.10.0_7.3.2
+
 ## Wazuh Docker v3.9.5_7.2.1

 ### Added

 - Update to Wazuh version 3.9.5_7.2.1

-
 ## Wazuh Docker v3.9.4_7.2.0

 ### Added
@@ -15,8 +26,6 @@ All notable changes to this project will be documented in this file.
 - Update to Wazuh version 3.9.4_7.2.0
 - Implemented Wazuh Filebeat Module ([jm404](https://www.github.com/jm404)) [#2a77c6a](https://github.com/wazuh/wazuh-docker/commit/2a77c6a6e6bf78f2492adeedbade7a507d9974b2)

-## Wazuh Docker v3.9.4_6.8.1
-

 ## Wazuh Docker v3.9.3_7.2.0

@@ -44,6 +53,13 @@ All notable changes to this project will be documented in this file.
 - Update to Wazuh version 3.9.2_6.8.0


+## Wazuh Docker v3.9.1_7.1.0
+
+### Added
+
+- Support for Elastic v7.1.0
+- New environment variables for Kibana ([@manuasir](https://github.com/manuasir)) [#22ad43](https://github.com/wazuh/wazuh-docker/commit/22ad4360f548e54bb0c5e929f8c84a186ad2ab88)
+
 ## Wazuh Docker v3.9.1_6.8.0

 ### Added
--- a/README.md
+++ b/README.md
@@ -57,7 +57,7 @@ In addition, a docker-compose file is provided to launch the containers mentione

 * `stable` branch on correspond to the latest Wazuh-Docker stable version.
 * `master` branch contains the latest code, be aware of possible bugs on this branch.
-* `Wazuh.Version_ElasticStack.Version` (for example 3.9.5_7.2.1) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.
+* `Wazuh.Version_ElasticStack.Version` (for example 3.10.2_7.3.2) branch. This branch contains the current release referenced in Docker Hub. The container images are installed under the current version of this branch.

 ## Credits and Thank you

--- a/4
+++ b/4
@@ -1,2 +1,2 @@
-WAZUH-DOCKER_VERSION="3.9.5_7.2.1"
-REVISION="3950"
+WAZUH-DOCKER_VERSION="3.10.2_7.3.2"
+REVISION="31020"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ version: '2'

 services:
  wazuh:
-    image: wazuh/wazuh:3.9.5_7.2.1
+    image: wazuh/wazuh:3.10.2_7.3.2
    hostname: wazuh-manager
    restart: always
    ports:
@@ -13,26 +13,26 @@ services:
      - "55000:55000"
    depends_on:
      - logstash
-  logstash:
-    image: wazuh/wazuh-logstash:3.9.3_6.8.1
-    hostname: logstash
-    restart: always
-    links:
-      - elasticsearch:elasticsearch
-    ports:
-      - "5000:5000"
-    depends_on:
-      - elasticsearch
-    environment:
-      - LS_HEAP_SIZE=2048m
-      - SECURITY_ENABLED=yes
-      - SECURITY_LOGSTASH_USER=service_logstash
-      - SECURITY_LOGSTASH_PASS=logstash_pass
-      - LOGSTASH_OUTPUT=https://elasticsearch:9200
-      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
+  # logstash:
+  #   image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
+  #   hostname: logstash
+  #   restart: always
+  #   links:
+  #     - elasticsearch:elasticsearch
+  #   ports:
+  #     - "5000:5000"
+  #   depends_on:
+  #     - elasticsearch
+  #   environment:
+  #     - LS_HEAP_SIZE=2048m
+  #     - SECURITY_ENABLED=no
+  #     - SECURITY_LOGSTASH_USER=service_logstash
+  #     - SECURITY_LOGSTASH_PASS=logstash_pass
+  #     - LOGSTASH_OUTPUT=https://elasticsearch:9200
+  #     - ELASTICSEARCH_URL=https://elasticsearch:9200
+  #     - SECURITY_CA_PEM=server.TEST-CA-signed.pem
  elasticsearch:
-    image: wazuh/wazuh-elasticsearch:3.9.5_7.2.1
+    image: wazuh/wazuh-elasticsearch:3.10.2_7.3.2
    hostname: elasticsearch
    restart: always
    ports:
@@ -58,7 +58,7 @@ services:
    mem_limit: 2g

  kibana:
-    image: wazuh/wazuh-kibana:3.9.5_7.2.1
+    image: wazuh/wazuh-kibana:3.10.2_7.3.2
    hostname: kibana
    restart: always
    depends_on:
@@ -68,7 +68,7 @@ services:
      - wazuh:wazuh
    environment:
      - ELASTICSEARCH_URL=https://elasticsearch:9200
-      - SECURITY_ENABLED=yes
+      - SECURITY_ENABLED=no
      - SECURITY_KIBANA_USER=service_kibana
      - SECURITY_KIBANA_PASS=kibana_pass
      - SECURITY_KIBANA_SSL_KEY_PATH=/usr/share/kibana/config/ssl/private
@@ -77,3 +77,18 @@ services:
      - SECURITY_CA_PEM=server.TEST-CA-signed.pem
    ports:
      - "5601:5601"
+
+  nginx:
+    image: wazuh/wazuh-nginx:3.10.2_7.3.2
+    hostname: nginx
+    restart: always
+    environment:
+      - NGINX_PORT=443
+      - NGINX_CREDENTIALS
+    ports:
+      - "80:80"
+      - "443:443"
+    depends_on:
+      - kibana
+    links:
+      - kibana:kibana
--- a/elasticsearch/Dockerfile
+++ b/elasticsearch/Dockerfile
@@ -17,6 +17,9 @@ ENV WAZUH_ALERTS_SHARDS="1" \

 ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /usr/share/elasticsearch/config

+RUN yum install epel-release -y && \
+    yum install jq -y
+
 # This CA is created for testing. Please set your own CA zip containing the key and the signed certificate. 
 # command: $ docker build <elasticsearch_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION> --build-arg SECURITY_CA_KEY_LOCATION=<CA_KEY_LOCATION>
 # ENV variables are necessary: SECURITY_CA_PEM, SECURITY_CA_KEY, SECURITY_CA_TRUST, SECURITY_OPENSSL_CONF 
--- a/elasticsearch/config/35-entrypoint_load_settings.sh
+++ b/elasticsearch/config/35-entrypoint_load_settings.sh
@@ -174,6 +174,53 @@ if [ "x$CONFIG_CODE" != "x200" ]; then
  ' > /dev/null
 else
  echo "LOAD SETTINGS - Wazuh APP already configured"
+  echo "LOAD SETTINGS - Check if it is an upgrade from Elasticsearch 6.x to 7.x"
+  wazuh_search_request=`curl -s ${auth} "$el_url/.wazuh/_search?pretty"`
+  full_type=`echo $wazuh_search_request | jq .hits.hits | jq .[] | jq ._type`
+  elasticsearch_request=`curl -s $auth "$el_url"`
+  full_elasticsearch_version=`echo $elasticsearch_request | jq .version.number`
+  type=`echo "$full_type" | tr -d '"'`
+  elasticsearch_version=`echo "$full_elasticsearch_version" | tr -d '"'`
+  elasticsearch_major="${elasticsearch_version:0:1}"
+
+  if [[ $type == "wazuh-configuration" ]] && [[ $elasticsearch_major == "7" ]]; then
+    echo "LOAD SETTINGS - Elasticsearch major = $elasticsearch_major."
+    echo "LOAD SETTINGS - Reindex .wazuh in .wazuh-backup."
+    
+    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
+    {
+      "source": {
+        "index": ".wazuh"
+      },
+      "dest": {
+        "index": ".wazuh-backup"
+      }
+    }
+    '
+    echo "LOAD SETTINGS - Remove .wazuh index."
+    curl -s  ${auth} -XDELETE "$el_url/.wazuh"
+
+    echo "LOAD SETTINGS - Reindex .wazuh-backup in .wazuh."
+    curl -s ${auth} -XPOST "$el_url/_reindex" -H 'Content-Type: application/json' -d'
+    {
+      "source": {
+        "index": ".wazuh-backup"
+      },
+      "dest": {
+        "index": ".wazuh"
+      }
+    }
+    '
+    curl -s ${auth} -XPUT "https://elasticsearch:9200/.wazuh-backup/_settings?pretty" -H 'Content-Type: application/json' -d'
+    {
+        "index" : {
+            "number_of_replicas" : 0
+        }
+    }
+    '
+
+  fi
+
 fi
 sleep 5

--- a/kibana/Dockerfile
+++ b/kibana/Dockerfile
@@ -1,4 +1,4 @@
-# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
 FROM docker.elastic.co/kibana/kibana:7.3.2
 ARG ELASTIC_VERSION=7.3.2
 ARG WAZUH_VERSION=3.10.2
@@ -7,17 +7,6 @@ ARG WAZUH_APP_VERSION="${WAZUH_VERSION}_${ELASTIC_VERSION}"
 USER root

 ADD  https://packages.wazuh.com/wazuhapp/wazuhapp-${WAZUH_APP_VERSION}.zip /tmp
-
-# This CA is created for testing. Please set your own CA pem signed certificate. 
-# command: $ docker build <kibana_directory> --build-arg SECURITY_CA_PEM_LOCATION=<CA_PEM_LOCATION>
-# ENV variables are necessary: SECURITY_CA_PEM 
-# Sample:
-# ARG SECURITY_CA_PEM_LOCATION="config/server.TEST-CA-signed.pem"
-ARG SECURITY_CA_PEM_LOCATION=""
-
-# CA for secure communication with Elastic
-ADD $SECURITY_CA_PEM_LOCATION /usr/share/kibana/config
-
 RUN /usr/share/kibana/bin/kibana-plugin install --allow-root file:///tmp/wazuhapp-${WAZUH_APP_VERSION}.zip 
 RUN rm -rf /tmp/wazuhapp-${WAZUH_APP_VERSION}.zip

@@ -96,8 +85,10 @@ RUN /usr/local/bin/kibana-docker --optimize

 USER root

-RUN chmod 777 /usr/share/kibana/plugins/wazuh/config.yml
-RUN chmod 777 /usr/share/kibana/plugins/wazuh
+RUN chmod 660 /usr/share/kibana/plugins/wazuh/config.yml && \
+    chmod 775 /usr/share/kibana/plugins/wazuh && \
+    chown root:kibana /usr/share/kibana/plugins/wazuh/config.yml && \
+    chown root:kibana /usr/share/kibana/plugins/wazuh

 USER kibana

--- a/kibana/config/xpack_config.sh
+++ b/kibana/config/xpack_config.sh
@@ -10,6 +10,7 @@ then
    [xpack.searchprofiler.enabled]=$XPACK_DEVTOOLS
    [xpack.ml.enabled]=$XPACK_ML
    [xpack.canvas.enabled]=$XPACK_CANVAS
+    [xpack.logstash.enabled]=$XPACK_LOGS
    [xpack.infra.enabled]=$XPACK_INFRA
    [xpack.monitoring.enabled]=$XPACK_MONITORING
    [xpack.maps.enabled]=$XPACK_MAPS
@@ -31,6 +32,7 @@ xpack.grokdebugger.enabled: $XPACK_DEVTOOLS
 xpack.searchprofiler.enabled: $XPACK_DEVTOOLS
 xpack.ml.enabled: $XPACK_ML
 xpack.canvas.enabled: $XPACK_CANVAS
+xpack.logstash.enabled: $XPACK_LOGS
 xpack.infra.enabled: $XPACK_INFRA
 xpack.monitoring.enabled: $XPACK_MONITORING
 xpack.maps.enabled: $XPACK_MAPS
--- a/wazuh/Dockerfile
+++ b/wazuh/Dockerfile
@@ -10,6 +10,7 @@ ENV API_USER="foo" \
   API_PASS="bar"

 ARG TEMPLATE_VERSION="v3.10.2"
+ENV FILEBEAT_DESTINATION="elasticsearch"

 # Install packages
 RUN set -x && \
@@ -56,8 +57,8 @@ RUN chmod +x /etc/service/wazuh-api/run && \
   chmod +x /etc/service/filebeat/run 

 # Copy configuration files from repository
-COPY config/filebeat.yml /etc/filebeat/
-RUN chmod go-w /etc/filebeat/filebeat.yml 
+COPY config/filebeat_to_elasticsearch.yml ./
+COPY config/filebeat_to_logstash.yml ./

 # Prepare permanent data
 # Sync calls are due to https://github.com/docker/docker/issues/9547
@@ -94,12 +95,16 @@ RUN mkdir /entrypoint-scripts
 COPY config/entrypoint.sh /entrypoint.sh
 COPY config/00-decrypt_credentials.sh /entrypoint-scripts/00-decrypt_credentials.sh
 COPY config/01-wazuh.sh /entrypoint-scripts/01-wazuh.sh
+COPY config/02-set_filebeat_destination.sh /entrypoint-scripts/02-set_filebeat_destination.sh
+COPY config/03-config_filebeat.sh /entrypoint-scripts/03-config_filebeat.sh
 COPY config/05-remove_credentials_file.sh /entrypoint-scripts/05-remove_credentials_file.sh
 COPY config/10-backups.sh /entrypoint-scripts/10-backups.sh
 COPY config/20-ossec-configuration.sh /entrypoint-scripts/20-ossec-configuration.sh
 RUN chmod 755 /entrypoint.sh && \
-    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
    chmod 755 /entrypoint-scripts/00-decrypt_credentials.sh && \
+    chmod 755 /entrypoint-scripts/01-wazuh.sh && \
+    chmod 755 /entrypoint-scripts/02-set_filebeat_destination.sh && \
+    chmod 755 /entrypoint-scripts/03-config_filebeat.sh && \
    chmod 755 /entrypoint-scripts/05-remove_credentials_file.sh && \
    chmod 755 /entrypoint-scripts/10-backups.sh && \
    chmod 755 /entrypoint-scripts/20-ossec-configuration.sh
@@ -111,5 +116,9 @@ RUN chmod 755 /entrypoint.sh && \
 COPY --chown=root:ossec config/agents.js /var/ossec/api/controllers/agents.js
 RUN chmod 770 /var/ossec/api/controllers/agents.js

+# Load wazuh alerts template.
+ADD https://raw.githubusercontent.com/wazuh/wazuh/$TEMPLATE_VERSION/extensions/elasticsearch/7.x/wazuh-template.json /etc/filebeat
+RUN chmod go-w /etc/filebeat/wazuh-template.json 
+
 # Run all services
 ENTRYPOINT ["/entrypoint.sh"]
--- a/wazuh/config/02-set_filebeat_destination.sh
+++ b/wazuh/config/02-set_filebeat_destination.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+##############################################################################
+# Set Filebeat destination.  
+##############################################################################
+
+if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
+
+    echo "FILEBEAT - Set destination to Elasticsearch"
+    cp filebeat_to_elasticsearch.yml /etc/filebeat/filebeat.yml
+
+elif [[ $FILEBEAT_DESTINATION == "logstash" ]]; then
+
+    echo "FILEBEAT - Set destination to Logstash"
+    cp filebeat_to_logstash.yml /etc/filebeat/filebeat.yml
+
+else
+    echo "FILEBEAT - Error choosing destination. Set default filebeat.yml "
+fi
+
+echo "FILEBEAT - Set permissions"
+
+chmod go-w /etc/filebeat/filebeat.yml
--- a/wazuh/config/03-config_filebeat.sh
+++ b/wazuh/config/03-config_filebeat.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Wazuh App Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+set -e
+
+if [[ $FILEBEAT_DESTINATION == "elasticsearch" ]]; then
+
+    WAZUH_FILEBEAT_MODULE=wazuh-filebeat-0.1.tar.gz
+
+    # Modify the output to Elasticsearch if th ELASTICSEARCH_URL is set
+    if [ "$ELASTICSEARCH_URL" != "" ]; then
+    >&2 echo "FILEBEAT - Customize Elasticsearch ouput IP."
+    sed -i 's|http://elasticsearch:9200|'$ELASTICSEARCH_URL'|g' /etc/filebeat/filebeat.yml
+    fi
+
+    # Install Wazuh Filebeat Module
+
+    >&2 echo "FILEBEAT - Install Wazuh Filebeat Module."
+    curl -s "https://packages.wazuh.com/3.x/filebeat/${WAZUH_FILEBEAT_MODULE}" | tar -xvz -C /usr/share/filebeat/module
+    mkdir -p /usr/share/filebeat/module/wazuh
+    chmod 755 -R /usr/share/filebeat/module/wazuh
+
+fi
--- a/wazuh/config/filebeat_to_elasticsearch.yml
+++ b/wazuh/config/filebeat_to_elasticsearch.yml
@@ -0,0 +1,55 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
+# Wazuh - Filebeat configuration file
+filebeat.inputs:
+  - type: log
+    paths:
+      - '/var/ossec/logs/alerts/alerts.json'
+
+setup.template.json.enabled: true
+setup.template.json.path: "/etc/filebeat/wazuh-template.json"
+setup.template.json.name: "wazuh"
+setup.template.overwrite: true
+
+processors:
+  - decode_json_fields:
+      fields: ['message']
+      process_array: true
+      max_depth: 200
+      target: ''
+      overwrite_keys: true
+  - drop_fields:
+      fields: ['message', 'ecs', 'beat', 'input_type', 'tags', 'count', '@version', 'log', 'offset', 'type', 'host']
+  - rename:
+      fields:
+        - from: "data.aws.sourceIPAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.aws.sourceIPAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.srcip"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.srcip: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+  - rename:
+      fields:
+        - from: "data.win.eventdata.ipAddress"
+          to: "@src_ip"
+      ignore_missing: true
+      fail_on_error: false
+      when:
+        regexp:
+          data.win.eventdata.ipAddress: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b
+
+output.elasticsearch:
+  hosts: ['http://elasticsearch:9200']
+  #pipeline: geoip
+  indices:
+    - index: 'wazuh-alerts-3.x-%{+yyyy.MM.dd}'
--- a/wazuh/config/filebeat_to_logstash.yml
+++ b/wazuh/config/filebeat_to_logstash.yml
@@ -1,3 +1,5 @@
+# Wazuh Docker Copyright (C) 2019 Wazuh Inc. (License GPLv2)
+
 # Wazuh - Filebeat configuration file
 filebeat:
 inputs:
@@ -10,4 +12,4 @@ output:
   # The Logstash hosts
         hosts: ["logstash:5000"]
 #   ssl:
-#     certificate_authorities: ["/etc/filebeat/logstash.crt"]
+#     certificate_authorities: ["/etc/filebeat/logstash.crt"]